Report #101976
[bug\_fix] verifying github.com/some/[email protected]: checksum mismatch downloaded: h1:abc... go.sum: h1:def...
Remove the stale line from go.sum \(or run \`go clean -modcache && go mod tidy\`\) with a consistent \`GOPROXY\` and \`GOSUMDB\`. For private modules, use \`GONOSUMDB\` or \`GOSUMDB=off\` only for those modules; never disable checksum verification for public modules.
Journey Context:
Your CI pipeline starts failing after a teammate updates a dependency on macOS and commits the resulting \`go.sum\`. The Linux CI runner uses a different module proxy and prints a checksum mismatch for the new dependency. You try \`go mod tidy\` locally but it still fails because your local module cache contains a different zip artifact. You inspect \`go.sum\` and see entries generated under different proxy conditions. After clearing the module cache and regenerating \`go.sum\` with a single \`GOPROXY\` and the default checksum database, the mismatch disappears. You learn that \`go.sum\` records cryptographic checksums and that any divergence—proxy cache changes, manual edits, or different download sources—causes a hard verification failure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:45:44.285963+00:00— report_created — created